{
	"id": "cb5dbebe-247f-47ee-a2c5-64ae14740d6f",
	"created_at": "2026-04-06T00:12:49.049121Z",
	"updated_at": "2026-04-10T13:11:37.848438Z",
	"deleted_at": null,
	"sha1_hash": "accf73c1ce66fef1fc738db8120c156547c0e2a9",
	"title": "Introduction to Alternate Data Streams | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 77974,
	"plain_text": "Introduction to Alternate Data Streams | Malwarebytes Labs\r\nBy Pieter Arntz\r\nPublished: 2015-07-21 · Archived: 2026-04-05 13:16:15 UTC\r\nWhat are Alternate Data Streams?\r\nAlternate Data Streams (ADS) are a file attribute only found on the NTFS file system.\r\nIn this system a file is built up from a couple of attributes, one of them is $Data, aka the data attribute. Looking at\r\nthe regular data stream of a text file there is no mystery. It simply contains the text inside the text file. But that is\r\nonly the primary data stream.\r\nThis one is sometimes referred to as the unnamed data stream since the name string of this attribute is empty ( “” )\r\n. So any data stream that has a name is considered alternate.\r\nThese data streams suffer from a bad reputation since they have been used and abused to write hidden data.\r\nVarying from data about where a file came from to complete malware files (e.g. Backdoor.Rustock.A)\r\nIf you are up for an experiment, we can easily create and read an alternate data stream.\r\nStreams\r\nThe first tool you can use was developed by Sysinternals (later bought by Microsoft) and is called Streams (nomen\r\nest omen).\r\nIn the example above we used the echo command to create an empty file called example with an alternate data\r\nstream called showme.\r\nBy using streams we can check which files have alternate data-streams.  In the results visible in the above\r\ncommand prompt,  $Data is the name of the attribute (as discussed earlier) and the 8 tells us the size.\r\nhttps://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/\r\nPage 1 of 3\n\nBut since we are looking at it, we obviously would like to see what is inside the alternate data streams.\r\nUnfortunately, streams do not offer that option.\r\nGet-Item\r\nIf you are using Windows 8 (or newer) there is a built-in option to read ADS. You can use PowerShell commands\r\nto achieve this. For those that have no experience with it, you can start it by typing PowerShell in the Run box\r\n(Windows key + R) and follow the lines in this screenshot.\r\nSet-item\r\nAnother thing that you can do with Powershell is add streams to a file. The Powershell command syntax is:\r\nset-content - path {path to the file} - stream {name of the stream}\r\nDoing so will initiate a cmdlet where you can enter the content of the stream under Value[i]\r\nSearch for ADS\r\nIf you want to search a directory or drive for ADS you can use this command in the root of the target:\r\ngci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'\r\nBe warned that if you include the Windows directory in your search you will likely receive an enormous list.\r\nhttps://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/\r\nPage 2 of 3\n\nRemove ADS\r\nA word of warning here. Removing ADS is not always advisable. Some of them are needed for the proper use of\r\nthe software that created the streams. So make sure you have done your research before removing them. The\r\nsyntax is:\r\nremove-item –path {path to the file} –stream {name of the stream}\r\nMalwarebytes Anti-Malware scans for and removes unwanted ADS (as Rootkit.ADS)\r\nSummary\r\nAlternate Data Streams (ADS) have been given a bad reputation because their capability to hide data from us on\r\nour own computer, has been abused by malware writers in the past. Hopefully this article will clear up some of the\r\nquestions and mystique you had about ADS.\r\nResources:\r\nAlternate data streams in NTFS\r\nExploring Alternate Data Streams\r\nAbout the author\r\nWas a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich\r\nmahogany and leather-bound books.\r\nSource: https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/\r\nhttps://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/"
	],
	"report_names": [
		"introduction-to-alternate-data-streams"
	],
	"threat_actors": [],
	"ts_created_at": 1775434369,
	"ts_updated_at": 1775826697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/accf73c1ce66fef1fc738db8120c156547c0e2a9.pdf",
		"text": "https://archive.orkl.eu/accf73c1ce66fef1fc738db8120c156547c0e2a9.txt",
		"img": "https://archive.orkl.eu/accf73c1ce66fef1fc738db8120c156547c0e2a9.jpg"
	}
}